SKF write-ups
Search…
NodeJS - GraphQL Mutations

Running the app nodeJs

First make sure nodejs and npm are installed on your host machine. After installation, we go to the folder of the lab we want to practice. "i.e /skf-labs/XSS, /skf-labs/RFI/" and run the following commands:
1
$ npm install
Copied!
1
$ npm start
Copied!
Now that the app is running let's go hacking!

Reconnaissance

The application implements a very basic mutation to create a new post on the blog. The mutation used is the following
1
mutation{
2
createPost(title: "This is a new title", body: "This is a new post", author_id: 2 ){
3
id
4
title
5
body
6
author_id
7
}
8
}
9
Copied!
If we look at the code we have a class CreatePost that will implement our logic to create a post.
1
const mutationType = new graphql.GraphQLObjectType({
2
name: "Mutation",
3
fields: {
4
createPost: {
5
type: PostType,
6
args: {
7
title: {
8
type: new graphql.GraphQLNonNull(graphql.GraphQLString),
9
},
10
body: {
11
type: new graphql.GraphQLNonNull(graphql.GraphQLString),
12
},
13
author_id: { type: new graphql.GraphQLNonNull(graphql.GraphQLID) },
14
},
15
resolve: (root, { title, body, author_id }) => {
16
return new Promise((resolve, reject) => {
17
database.run(
18
"INSERT INTO Posts (title, body, author_id) VALUES (?,?,?);",
19
[title, body, author_id],
20
(err) => {
21
if (err) {
22
reject(null);
23
}
24
database.get("SELECT last_insert_rowid() as id", (err, row) => {
25
resolve({
26
id: row["id"],
27
title: title,
28
body: body,
29
author_id: author_id,
30
});
31
});
32
}
33
);
34
});
35
},
36
},
37
},
38
});
Copied!
The method mutate will just get the new Post object and insert an instance in the database.

Exploit

What can you exploit? ;)

Additional resources

GraphQL - OWASP Cheat Sheet Series
Export as PDF
Copy link
Edit on GitHub